tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2008:/blog//2.2297-2015-02-17T06:37:05ZComments for Framing Computers Under the DMCAA blog covering security and security technology.Movable Typetag:www.schneier.com,2008:/blog//2.2297-comment:277562Comment from Alan on 2008-06-10Alan
>They do seem to be quite restrictive in who they sue

Ok then, frame the senators' mothers, aunts, uncles, cousins... Or better yet, their mothers-in-law. That should do it.

]]>
2008-06-10T20:29:25Z2008-06-10T20:29:25Ztag:www.schneier.com,2008:/blog//2.2297-comment:277391Comment from bob on 2008-06-10bob
@floodgate, Davi: frame@home!]]>
2008-06-10T11:40:28Z2008-06-10T11:40:28Ztag:www.schneier.com,2008:/blog//2.2297-comment:277246Comment from Tim on 2008-06-09Timhttp://pig.sty.nu/
A simple tarpit is all that's necessary to attract the RIAA/MPAA's attention. I did it, just for kicks, about 4-5 years ago - a simple page listing various keywords in random order, some words made into links - using apache rewrites such that anything under the same directory just re-invoked the same script with yet another random output. (Hint: put a few delay/sleep commands in the script!) There were *no* "filez" stored anywhere, just links to URLs ending in .mp3, .m4a, .mpg, .torrent etc.... all of which had mime-type text/html and a few months later, the ISP phoned me... ;)

Stupid litigious yanks.

]]>
2008-06-09T22:32:38Z2008-06-09T22:32:38Ztag:www.schneier.com,2008:/blog//2.2297-comment:277244Comment from Mark Simon on 2008-06-09Mark Simonhttp://www.eclipsecurityllc.com
The take down notices sound more like spam, not legitimate DMCA take-down notices that are entitled to legal effect.

Since no infringing material existed, the notices could not have identified,as required by 17 U.S.C. 512(c)(3), "material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material."

It appears the researchers did not give any consideration to whether the take-down notices were entitled to any legal effect.

In any event, legal recourse exists against parties who cause unwarranted take-down notices to issue. See 17 USC 512(f).

]]>
2008-06-09T22:26:45Z2008-06-09T22:26:45Ztag:www.schneier.com,2008:/blog//2.2297-comment:277241Comment from IronGeek on 2008-06-09IronGeek
@Seth wrote "Laser printers are at least computers."

Right, you can change their display message with a PCL job, upload a hacked
firmware, have physical access to their disk, attack their unpatched base OS
(VxWorks, NetBSD), sniff the password and send rsh commands, or use them to
nmap the RIAA and the MPAA. Countermeasures are onhttp://www.irongeek.com/i.php?page=security/networkprinterhacking

]]>
2008-06-09T22:18:39Z2008-06-09T22:18:39Ztag:www.schneier.com,2008:/blog//2.2297-comment:277190Comment from Clive Robinson on 2008-06-09Clive Robinson
There is one area of "attack" or "detection" against the likes of the MPAA/RIAA/etc that has not been mentioned.

Like a lot of organisations attempting to monitor the Internet for what they regard as "significant activity" they are resource constrained by amongst other things cost.

The side effect of this is the "efficient use" of resources is effectivly mandated. Which usually means using one computer to do many many tasks or computers. Often this is by the use of VM type software and faking multiple IP addresses etc.

The most comon place to see this is in Honey Nets where one machine pretends to be many. I fully expect these monitoring organisations to employe the same technology to hide their activities.

Unfortunatly it has a fatal flaw if you know how to exploit it and unlike Honey Nets these machines are active which means they can be "decloaked pasivly" it is just a mater of finding a workable method...

The fatal flaw is that the computer hardware only has a single hardware clock to which all of the computers actions are tied, including all the virtual machines and multiple network cards with multiple IP addresses.

There is an existing atack known as "Timestamp enumeration" whereby you can detect which VMs and multiple IP addresses are all using the same hardware clock.

Unfortunatly it uses the frequency delta of the hardware clock after it has effectivly been devided down by the base operating system so it can take an apreciable amount of time to establish that two VMs or IP addressess are using the same hardware clock (the greater the drift rate or frequency delta the faster the detection).

However the upside is that it uses very little in the way of resources to detect the timestamp delta so many many VMs and IP addressess can be checked in parallel by a single computer.

A little while ago a friend and I tested out "timestamp enumeration" against a number of software development networks and found that the real number of computers and the number of VMs running on each could be reliably determined by the use of simple techneiques that although active used packets spread out over a sufficiently large time period that the IDSs did not pick up on it. We then borowed a network and installed a typical honey net set up and low and behold it was easily detected without having to run anything that would have been treated as anything other than a fairly sedate slow scan.

So if you use the method described in the paper to get a list of "suspect" machines you can then fairly easily make the appropriate requests to assertain the corelation on timestamp deltas. It is very likley that any two matching timestamp deltas on systems pretending to be different are almost gaurented to be ones you want to qavoid having any contact with.

Further if you are acting as the refrence for the p2p network you can monitor all the time stamps of requesting computers again detecting comonality of timestamp deltas would be suspicious.

So the hard part determining the best method of implementation, then having detected the likley candidates what do you do with them?

The thought occurs to me that you could take a leaf out of the honey net project and make your own virtual "tar pit" to send them to...

]]>
2008-06-09T18:37:55Z2008-06-09T18:37:55Ztag:www.schneier.com,2008:/blog//2.2297-comment:277185Comment from Davi Ottenheimer on 2008-06-09Davi Ottenheimerhttp://davi.poetry.org/
"Maybe something will change when they start suing some highly placed people, like members of parliament, or maybe their own board of directors."

Actually, I was thinking the opposite. The more rabbit holes they are forced to run down the higher their cost of follow-up and even litigation will run.

A massively scaled "framing" campaign widely spread across the general population could drag down even the most efficient MPAA/RIAA war engines.

Pardon the comparison to common history and warfare, but this has been a typical tactic to defeat conventional armies that try to occupy and control civilian populations. Once they lose the ability to ID guerrillas/resistance an army faces conflict with a general body that they usually lack the resources to control.

]]>
2008-06-09T18:36:48Z2008-06-09T18:36:48Ztag:www.schneier.com,2008:/blog//2.2297-comment:277184Comment from floodgate on 2008-06-09floodgate
we need more studies like this.

if one study can generate 400 spurious takedown notices, imagine a massively networked effort designed to generate millions of worthless takedown notices a month...

]]>
2008-06-09T18:34:10Z2008-06-09T18:34:10Ztag:www.schneier.com,2008:/blog//2.2297-comment:277183Comment from Davi Ottenheimer on 2008-06-09Davi Ottenheimerhttp://davi.poetry.org/
"...University of Washington have demonstrated how lousy the MPAA/RIAA/etc. tactics are..."

I think a term like unfair or lazy might be a better way to describe the tactics.

Not sure what you mean by lousy, but there is an economic angle to these tactics that make them fairly efficient (not lousy) for the attackers. They are able to spew frivolous and bogus litigation at little cost to themselves.

]]>
2008-06-09T18:31:04Z2008-06-09T18:31:04Ztag:www.schneier.com,2008:/blog//2.2297-comment:277182Comment from Davi Ottenheimer on 2008-06-09Davi Ottenheimerhttp://davi.poetry.org/
When you have a big and heavy enough hammer, everything starts to look like a nail.]]>
2008-06-09T18:27:28Z2008-06-09T18:27:28Ztag:www.schneier.com,2008:/blog//2.2297-comment:277161Comment from Alpha Prime on 2008-06-09Alpha Prime
I'm wondering... there are penalties for frivolous lawsuits. If someone hid their encrypted files by using the names of current films and popular songs in order to test 'security by obscurity', then got sued for making the materials available, could they not counter sue to recover costs and damages?

After all, these files would only be useful to the P2P user, or group, that had the key and their presence on the net as something other than 'states-secrets.gpg' would be an application of security by obscurity.

]]>
2008-06-09T17:45:19Z2008-06-09T17:45:19Ztag:www.schneier.com,2008:/blog//2.2297-comment:277157Comment from Pete on 2008-06-09Pete
They do seem to be quite restrictive in who they sue: if you take a look at who they send their settlement proposals etc to, they pick the people with little means to defend themselves in court. Of course - any sane person would. Pick out the weakest in the herd, avoid the ones that look like they can defend themselves.]]>
2008-06-09T17:27:49Z2008-06-09T17:27:49Ztag:www.schneier.com,2008:/blog//2.2297-comment:277156Comment from Dom De Vitto on 2008-06-09Dom De Vitto http://devitto.com
Anyone got a list of IPs used by senators....

Problem solved.

]]>
2008-06-09T17:26:17Z2008-06-09T17:26:17Ztag:www.schneier.com,2008:/blog//2.2297-comment:277150Comment from a. on 2008-06-09a.
And once they find out the huge amount of downloads at 127.0.0.1, they'll sue the owner of that IP address....]]>
2008-06-09T16:56:50Z2008-06-09T16:56:50Ztag:www.schneier.com,2008:/blog//2.2297-comment:277132Comment from alan on 2008-06-09alan
Please tell me they printed their final report on the DMCA'd laserjet.]]>
2008-06-09T16:01:03Z2008-06-09T16:01:03Ztag:www.schneier.com,2008:/blog//2.2297-comment:277119Comment from Sparky on 2008-06-09Sparky
Maybe something will change when they start suing some highly placed people, like members of parliament, or maybe their own board of directors. I doubt the names and addresses are screened by anyone sufficiently intelligent to catch it in time.

Although I'd think that would also constitute computer fraud.

]]>
2008-06-09T15:24:30Z2008-06-09T15:24:30Ztag:www.schneier.com,2008:/blog//2.2297-comment:277117Comment from Sparky on 2008-06-09Sparky
Maybe something will change when they start suing some highly places people, like members of parliament, or maybe their own board of directors. I doubt the names and addresses are screened by anyone sufficiently intelligent to catch it in time. ]]>
2008-06-09T15:23:43Z2008-06-09T15:23:43Ztag:www.schneier.com,2008:/blog//2.2297-comment:277111Comment from Carlo Graziani on 2008-06-09Carlo Graziani
MPAA: Tell me your IP address RIGHT NOW, you copyright-violating evildoer!

COPYRIGHT-VIOLATING EVILDOER: 127.0.0.1

MPAA: Right! We're off to the courthouse to teach you a lesson! You'll rue the day you stole from us!

[Later]

MPAA: Evildoer! You hacked our firewall!! You tricked us into serving papers on ourselves!!! The judge was not amused. But we've beefed up our firewall, and vengeance will be ours. What was that IP address again?

]]>
2008-06-09T15:02:50Z2008-06-09T15:02:50Ztag:www.schneier.com,2008:/blog//2.2297-comment:277106Comment from Glenn on 2008-06-09Glenn
It's too bad they just make a joke out of it with that "wanted" picture at the top of their page. I havn't even paid attention to the EFF since they started that sort of thing--it's impossible to take people seriously who try to grab attention using a picture of Barney in handcuffs, like a cheap tabloid.
]]>
2008-06-09T14:41:24Z2008-06-09T14:41:24Ztag:www.schneier.com,2008:/blog//2.2297-comment:277105Comment from Al on 2008-06-09Al
I wonder what would happen if someone 'framed' IP numbers belonging to the RIAA. Would the RIAA send itself a takedown notice?

teehee

a

]]>
2008-06-09T14:38:44Z2008-06-09T14:38:44Ztag:www.schneier.com,2008:/blog//2.2297-comment:277103Comment from Pascal Juergens on 2008-06-09Pascal Juergens
Just a sidenote: it's nine DMCA notices to printers. "Over 400" is a figure from the NYT article and refers to all of the letters that they got. See page 3 of the paper for details.]]>
2008-06-09T14:31:16Z2008-06-09T14:31:16Ztag:www.schneier.com,2008:/blog//2.2297-comment:277098Comment from Sejanus on 2008-06-09Sejanus
The link Johannes posted is about this:

In May 2008, MediaDefender was publicly accused of being the source of a distributed-denial-of-service attack on Revision3. Jim Louderback, Revision3 CEO charged that these attacks violated the Economic Espionage Act and the Computer Fraud and Abuse Act. As of May 2008, the Federal Bureau of Investigations was investigating the incident.
(Wikipedia)

It's amazing how people who claim to be "good guys" can act.

]]>
2008-06-09T14:08:27Z2008-06-09T14:08:27Ztag:www.schneier.com,2008:/blog//2.2297-comment:277097Comment from Seth on 2008-06-09Seth
Too bad they didn't have an old Epson 9-pin printer they could have implicated. Laser printers are at least computers.

Next, I suppose, it's time to get the takedown notices sent to whitehouse.gov and to get the RIAA and MPAA to start sending notices to each other.

I wonder what happens the next time the RIAA sues somebody and this paper is introduced by the defense.

]]>
2008-06-09T14:08:03Z2008-06-09T14:08:03Ztag:www.schneier.com,2008:/blog//2.2297-comment:277096Comment from Trichinosis USA on 2008-06-09Trichinosis USA
Bwahahahaha, "Iron Man"!!!]]>
2008-06-09T14:05:12Z2008-06-09T14:05:12Ztag:www.schneier.com,2008:/blog//2.2297-comment:277095Comment from Tanuki on 2008-06-09Tanuki
Now, I just wonder how long it'll be before the MPAA/RIAA start trying to issue takedown-notices against the owner(s) of IP-address 192.168.1.1 ??]]>
2008-06-09T13:55:08Z2008-06-09T13:55:08Ztag:www.schneier.com,2008:/blog//2.2297-comment:277079Comment from Johannes Berg on 2008-06-09Johannes Berghttp://johannes.sipsolutions.net/
Odd. Right about the same time, I got a link to this: http://revision3.com/blog/2008/05/29/inside-the-attack-that-crippled-revision3

johannes

]]>
2008-06-09T13:16:34Z2008-06-09T13:16:34Ztag:www.schneier.com,2008:/blog//2.2297-comment:277072Comment from Sejanus on 2008-06-09Sejanus
Good job ;) Respect. I don't know much about USA, etc., but in my country (Lithuania) that copyright enforcement agency acts like yet another racket gang. It is hated even by people who are strongly against piracy or copyright violations ]]>
2008-06-09T12:43:26Z2008-06-09T12:43:26Ztag:www.schneier.com,2008:/blog//2.2297-comment:277068Comment from Clive Robinson on 2008-06-09Clive Robinson
So the MPAA/RIAA/etc cannot do better thatn a "half a***" job, not realy surprising when you look at DRM or any other of their control systems...

But they will unfortunatly not give up as it is their way of life to accuse others of theft but excuse their own members of other activities which are legaly questionable.

]]>
2008-06-09T12:20:29Z2008-06-09T12:20:29Ztag:www.schneier.com,2008:/blog//2.2297-comment:277067Comment from Rich on 2008-06-09Rich
How long will it be before someone forges headers and manages to get takedown letters sent to, for example, 209.98.82.69
(a.k.a. http://www.supremecourtus.gov)?]]>
2008-06-09T12:20:04Z2008-06-09T12:20:04Z